All constraints have a match
field, which defines the objects a constraint
applies to. All conditions specified must be matched before an object is
in-scope for a constraint.
# excludedNamespaces <array>: ExcludedNamespaces is a list of namespace names.
# If defined, a constraint only applies to resources not in a listed namespace.
# ExcludedNamespaces also supports a prefix or suffix based glob. For example,
# `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`,
# and `excludedNamespaces: [*-system]` matches both `kube-system` and
# `gatekeeper-system`.
excludedNamespaces:
# <list item: string>: A string that supports globbing at its front or end.
# Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will
# match "kube-system" or "gatekeeper-system". The asterisk is required for
# wildcard matching.
- <string>
kinds:
# <list item: object>: Kinds accepts a list of objects with apiGroups and
# kinds fields that list the groups/kinds of objects to which the mutation
# will apply. If multiple groups/kinds objects are specified, only one match
# is needed for the resource to be in scope.
- # apiGroups <array>: APIGroups is the API groups the resources belong to.
# '*' is all groups. If '*' is present, the length of the slice must be
# one. Required.
apiGroups:
- <string>
kinds:
- <string>
# labelSelector <object>: LabelSelector is the combination of two optional
# fields: `matchLabels` and `matchExpressions`. These two fields provide
# different methods of selecting or excluding k8s objects based on the label
# keys and values included in object metadata. All selection expressions from
# both sections are ANDed to determine if an object meets the cumulative
# requirements of the selector.
labelSelector:
# matchExpressions <array>: matchExpressions is a list of label selector
# requirements. The requirements are ANDed.
matchExpressions:
# <list item: object>: A label selector requirement is a selector that
# contains values, a key, and an operator that relates the key and values.
- # key <string>: key is the label key that the selector applies to.
key: <string>
# operator <string>: operator represents a key's relationship to a set
# of values. Valid operators are In, NotIn, Exists and DoesNotExist.
operator: <string>
# values <array>: values is an array of string values. If the operator
# is In or NotIn, the values array must be non-empty. If the operator
# is Exists or DoesNotExist, the values array must be empty. This array
# is replaced during a strategic merge patch.
values:
- <string>
# matchLabels <object>: matchLabels is a map of {key,value} pairs. A single
# {key,value} in the matchLabels map is equivalent to an element of
# matchExpressions, whose key field is "key", the operator is "In", and the
# values array contains only "value". The requirements are ANDed.
matchLabels:
[key]: <string>
# name <string>: Name is the name of an object. If defined, it will match
# against objects with the specified name. Name also supports a prefix or
# suffix glob. For example, `name: pod-*` would match both `pod-a` and
# `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.
name: <string>
# namespaceSelector <object>: NamespaceSelector is a label selector against an
# object's containing namespace or the object itself, if the object is a
# namespace.
namespaceSelector:
# matchExpressions <array>: matchExpressions is a list of label selector
# requirements. The requirements are ANDed.
matchExpressions:
# <list item: object>: A label selector requirement is a selector that
# contains values, a key, and an operator that relates the key and values.
- # key <string>: key is the label key that the selector applies to.
key: <string>
# operator <string>: operator represents a key's relationship to a set
# of values. Valid operators are In, NotIn, Exists and DoesNotExist.
operator: <string>
# values <array>: values is an array of string values. If the operator
# is In or NotIn, the values array must be non-empty. If the operator
# is Exists or DoesNotExist, the values array must be empty. This array
# is replaced during a strategic merge patch.
values:
- <string>
# matchLabels <object>: matchLabels is a map of {key,value} pairs. A single
# {key,value} in the matchLabels map is equivalent to an element of
# matchExpressions, whose key field is "key", the operator is "In", and the
# values array contains only "value". The requirements are ANDed.
matchLabels:
[key]: <string>
# namespaces <array>: Namespaces is a list of namespace names. If defined, a
# constraint only applies to resources in a listed namespace. Namespaces also
# supports a prefix or suffix based glob. For example, `namespaces: [kube-*]`
# matches both `kube-system` and `kube-public`, and `namespaces: [*-system]`
# matches both `kube-system` and `gatekeeper-system`.
namespaces:
# <list item: string>: A string that supports globbing at its front or end.
# Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will
# match "kube-system" or "gatekeeper-system". The asterisk is required for
# wildcard matching.
- <string>
# scope <string>: Scope determines if cluster-scoped and/or namespaced-scoped
# resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to
# `*`)
scope: <string>
# source <string>: Source determines whether generated or original resources
# are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A
# value of `Generated` will only match generated resources, while `Original`
# will only match regular resources.
# Allowed Values: All, Generated, Original
source: <string>